Steam vulnerability can lead to remote insertion of malicious code

New attack exploits hidden capabilities of Steam URL handler in some browsers.

Millions of Steam users are potentially vulnerable to a newly disclosed attack method that exploits a hole in the way Steam commands interact with certain games, Web browsers, e-mail clients, and other software.

Security researchers at ReVuln, based in Malta, published details of the attack [PDF] earlier this week. The vulnerability resides in the Steam Browser protocol, which is commonly used by websites such as the Steam Web Store to install, uninstall or launch Steam games and perform other common tasks, using URLs starting with "Steam://". By getting a user to click a link to a specially formed Steam URL, an attacker can remotely exploit buffer overflow bugs and other vulnerabilities in various Steam games and in Steam itself to create and run malicious code on a target's machine, as shown in a posted proof of concept video.

"This is a completely new attack vector, so it's not related to a single game," Donato Ferrante, a ReVuln co-founder and security researcher, told Ars. "Most of the games on Steam share the same game engine." Once attackers have identified a vulnerability in one of the engines, they can use the Steam protocol to exploit it, he explained. The other ReVuln security researcher and co-founder involved in the discovery was Luigi Auriemma.

For instance, a Steam URL can be coded to call a "reinstall" command, which loads a splash image file hosted on an arbitrary Windows Shared Drive controlled by the attacker. By exploiting an integer overflow vulnerability in the way Steam handles that splash image, the attacker can load malicious code into remote memory.

Other exploits disclosed in the ReVuln report depend on the targeted user having specific Steam games installed on their system in order to work. One attack passes URL-encoded run-time instructions to any game based on the popular Source engine, prompting that game to create a new log file with arbitrary content inside. Using this vulnerability, the attacker can create a batch file from whole cloth and insert it in the target's Startup folder, for instance. Similar exploits described in the paper make use of games running the Unreal Engine, as well as specific games like APB Reloaded and Microvolts. Note that these games don't have to be actively running for the attack to work—simply having them installed through Steam appears to be enough to let an attacker in through a coded URL.

Not all Web users are equally at risk to these kinds of attacks. Browsers such as Chrome and Internet Explorer present users with an explicit warning when they click a Steam link, telling them they're about to open or use an external program, and Firefox asks users for confirmation (without explicitly warning of potential vulnerability). Browsers including Apple's Safari and Webkit, though, allow Steam URLs to launch the program without any warnings, letting a potential attack go completely unnoticed. Many browsers that provide prompts or warnings by default can be configured to suppress them, so it's possible attacks might work more widely, Ferrante said.

Further, while the attack is less noticeable if Steam is already running in the background, it seems that, in the right browser, the attack can launch Steam and insert the malicious code before a user is able to do anything about it.

If you are running Steam and using a vulnerable browser, you can protect yourself by going into the settings and disabling automatic launching of Steam:// URLs. If you're already using a browser that gives warning when URLs try to launch external programs, keep a special watch for any suspicious links that try to launch Steam.

Valve has yet to respond to a request for comment on the newly publicized vulnerability.

"This is a completely new attack vector, so it's not related to a single game," Donato Ferrante, a ReVuln co-founder and security researcher, told Ars. "Most of the games on Steam share the same game engine."

Either Mr. Ferrante is poorly wording his argument, or he is grossly misinformed about the engine usage on Steam. I hope he means to say, "Most of the games on Steam share game engine code with one or more other games." However, I infer that he means most Steam games use the Source engine (inferred from the attack details two paragraphs below his quote) which is absolutely false.

It's interesting how times have changed.. from the way the article describes this exploit, you are at the most risk if you run Apple software. This is in no way meant to bash Apple as you're still not safe on any other platform if you click through your prompts (as most people do, and as I would do for Steam).. it's just a sign of the changing times. No user, software or hardware is safe anymore. Ars just ran a story this morning how hospital HARDWARE can be malware infected.

Hopefully the technological community stops doing things like hardcoding passwords into critical infrastructure devices and starts designing hardware and software with security in mind.

"This is a completely new attack vector, so it's not related to a single game," Donato Ferrante, a ReVuln co-founder and security researcher, told Ars. "Most of the games on Steam share the same game engine."

Either Mr. Ferrante is poorly wording his argument, or he is grossly misinformed about the engine usage on Steam. I hope he means to say, "Most of the games on Steam share game engine code with one or more other games." However, I infer that he means most Steam games use the Source engine (inferred from the attack details two paragraphs below his quote) which is absolutely false.

They mention the Unreal engine as well, which a significant number of high profile games utilize.

Both this article and ReVuln's paper omit a key question: Did the researchers contact Valve and give them opportunity to patch the vulnerability before this public release? It looks like a surprise announcement, which is serious assholery.

Because not having DRM on Steam would have solved this problem amirite!?

I presume he is saying that he and some others would not run Steam if it was not required by certain DRM. That type of person would not be vulnerable. It is a valid argument, but I suspect it applies to a very small segment of Steam users.

As a hobbyist game programmer myself, I've looked in to the Steam API.

First, most games on Steam do not "use the same engine" - the engines are varied and quite a few different technologies are at play.

However, any on Steam are required to implement a common set of instructions that are largely a closed-box to developers. They link in the Steam API through DLLs, hook the methods and let the DLLs do their own thing.

So, if the vulnerability is in those DLLs, that's a lot of patching each and every game will have to do - not because they share a common engine (many don't) but because they share a common API. One provided by Steam.

So where are these malicious coded urls? Where does on go to click on them in the first place?

If they could conceivable live on the steam store or in the steam forums then this can be a problem(because there is some level of trust), but if they live anywhere else any person who is half way web intelligent would know not to click. Most gamers in general are web savvy enough to not get jacked by this, let alone PC gamers.

I launch all my Steam games from within the Steam client, which I think is based on webkit. But by doing so, all the links I have should have been generated by the Steam service. So, is an attacker going to somehow feed me a malformed URL by intercepting my communication with Steam? Or does this vulnerability only affect those who use Steam via their webpage by using another browser other than the Steam client?

Although, this vulnerability may help explain what may be behind those dodgy "get free Steam games" types of websites.

Apparently you can make some sort of weird steam:// url and this will in turn launch code that COULD be executed in the context of the Steam client. Does anyone actually use steam:// urls outside of the Steam browser? Obviously the Steam browser is based on an internal WebKit fork.

I launch all my Steam games from within the Steam client, which I think is based on webkit. But by doing so, all the links I have should have been generated by the Steam service. So, is an attacker going to somehow feed me a malformed URL by intercepting my communication with Steam? Or does this vulnerability only affect those who use Steam via their webpage by using another browser other than the Steam client?

Although, this vulnerability may help explain what may be behind those dodgy "get free Steam games" types of websites.

Edit: Clarity

Any application can register a protocol handler. Steam client registers steam:// which means that any steam:// link on a website will be passed to steam if the user clicks on it.Just like having an irc:// link on a site would pass the link to an IRC client if you have one, or mailto: will launch the default mail client.

It has nothing to do with how you launch your games personally, the fact that these links are passed to steam is all that is required to potentially exploit people who have certain games installed. Of course, passing links to other applications is (and has been) a security flaw in the past, which is why modern web browsers (chrome, firefox, etc) have implemented warnings when a site attempts to pass a link to another application.

Additionally, though it is not mentioned in the article or the relevant articles regarding the vulnerability, there is nothing to prevent a single site trying to exploit tens, maybe even hundreds of games at a time (though again, web browsers like chrome would give you an obnoxious number of warnings in that case).

EDIT: Remember, people can post url's effectively anywhere: Forums, emails, instant messages, so it doesn't matter where steam:// url's *are currently used*. Anyone can post a malicious url like this. Be very wary of these links if they are posted anywhere unexpected; messageboards/imageboards, reddit, forums, emails are all likely targets.

I launch all my Steam games from within the Steam client, which I think is based on webkit. But by doing so, all the links I have should have been generated by the Steam service. So, is an attacker going to somehow feed me a malformed URL by intercepting my communication with Steam? Or does this vulnerability only affect those who use Steam via their webpage by using another browser other than the Steam client?

Although, this vulnerability may help explain what may be behind those dodgy "get free Steam games" types of websites.

Edit: Clarity

Any link on any website in any browser could start with "Steam://" which calls steam into action. So any computer with steam, when presented with a malicious link is a possible vector -- as I understand it.

My question is, could a web-page redirect or javascript also initiate this? I'm guessing so, and that's a little more troubling.

I'm aware of many sites that will send you down a seeming endless loop of pop-ups and re-directs to more pop-ups. Of course if you're aware of certain methods to stop such shenanigans it's not an issue, but for those that aren't....

Does this flaw affect both PC and Mac? I didn't see it mentioned in the article.

It should, assuming an attacker designed their payload appropriately. The Steam URL handling behavior exists on both platforms. On Windows I believe the setting is stored in the registry. In OS X URL handling is registered via LaunchServices, with the settings found in

Code:

~/Library/Preferences/com.apple.LaunchServices.plist

While the article finishes with:

Kyle Orland wrote:

If you are running Steam and using a vulnerable browser, you can protect yourself by going into the settings and disabling automatic launching of Steam:// URLs.

I don't actually see any option for that in Steam under OS X. It appears it'd be necessary to delete the entries and then prevent Steam from regenerating them. Ultimately a proper solution needs to come from Valve's side.

My question is, could a web-page redirect or javascript also initiate this? I'm guessing so, and that's a little more troubling.

Yes. Browsing to a web page loaded with this in a browser like Chrome, Firefox or newer versions of IE will give you a clear prompt and the ability to stop it. If you use Safari or some esoteric browser, you will need to be extremely careful in your browsing habits.

I launch all my Steam games from within the Steam client, which I think is based on webkit. But by doing so, all the links I have should have been generated by the Steam service. So, is an attacker going to somehow feed me a malformed URL by intercepting my communication with Steam? Or does this vulnerability only affect those who use Steam via their webpage by using another browser other than the Steam client?

Although, this vulnerability may help explain what may be behind those dodgy "get free Steam games" types of websites.

I too am not 100% clear on this either. From what I understand, I think this is only the case where users are browsing for steam items (and thus Steam:// links) from a third party browser. I don't see them being able to get to the Steam client browser as that only presents you with first party steam sites. That is unless, you use your steam client web browser access non-steam sites, which I am not entirely sure is even possible.

I don't know about you, but whenever I am browsing Steam games, its via the official Steam client (which is presumably not affected by this exploit) whenever I have it installed. If I am browsing steam via a standard web browser, it is usually because I am at a computer that does not have Steam installed. So in both these cases this vulnerability is rendered useless right? It only works if you have the Steam client installed and are browsing for games via a standard web browser. A little more clarification would be helpful.

I launch all my Steam games from within the Steam client, which I think is based on webkit. But by doing so, all the links I have should have been generated by the Steam service. So, is an attacker going to somehow feed me a malformed URL by intercepting my communication with Steam? Or does this vulnerability only affect those who use Steam via their webpage by using another browser other than the Steam client?

Although, this vulnerability may help explain what may be behind those dodgy "get free Steam games" types of websites.

Edit: Clarity

The vulnerability would come if an attacker got you to click on a Steam:// URL that they created specifically to get malicious code onto your system. Just clicking around official links in the Steam Web Store will not expose you to risk. Sorry if this was unclear.

Does this flaw affect both PC and Mac? I didn't see it mentioned in the article.

Given the nature of the exploit, it seems like the attack vector (malformed URLs) could be used against a Mac assuming that Macs allow for "steam://" links to be handled by an arbitrary application (Steam, in this case). I don't know if OS X supports that or not (I don't own a Mac), but if it does then the attack vector is still valid.

However, the actual attack will need to be different on a Mac, obviously; writing a Windows batch file isn't going to do squat to a Mac.

I launch all my Steam games from within the Steam client, which I think is based on webkit. But by doing so, all the links I have should have been generated by the Steam service. So, is an attacker going to somehow feed me a malformed URL by intercepting my communication with Steam? Or does this vulnerability only affect those who use Steam via their webpage by using another browser other than the Steam client?

Although, this vulnerability may help explain what may be behind those dodgy "get free Steam games" types of websites.

Edit: Clarity

Any application can register a protocol handler. Steam client registers steam:// which means that any steam:// link on a website will be passed to steam if the user clicks on it.Just like having an irc:// link on a site would pass the link to an IRC client if you have one, or mailto: will launch the default mail client.

It has nothing to do with how you launch your games personally, the fact that these links are passed to steam is all that is required to potentially exploit people who have certain games installed. Of course, passing links to other applications is (and has been) a security flaw in the past, which is why modern web browsers (chrome, firefox, etc) have implemented warnings when a site attempts to pass a link to another application.

Additionally, though it is not mentioned in the article or the relevant articles regarding the vulnerability, there is nothing to prevent a single site trying to exploit tens, maybe even hundreds of games at a time (though again, web browsers like chrome would give you an obnoxious number of warnings in that case).

EDIT: Remember, people can post url's effectively anywhere: Forums, emails, instant messages, so it doesn't matter where steam:// url's *are currently used*. Anyone can post a malicious url like this. Be very wary of these links if they are posted anywhere unexpected; messageboards/imageboards, reddit, forums, emails are all likely targets.

That makes sense. I guess what grabbed me is that I do all my business with Steam through the Steam client and nothing else, so seeing a Steam:// URL elsewhere would make me think, "WTF" and that automatically sets off a red flag in my mind to perhaps leave it all alone. But thinking about this further, Steam does have its own built-in IM system which I have used to keep in touch with colleagues on occasion. A malformed Steam:// URL there may seem less suspicious at a glance, but can still be just as deadly as any malformed link in an e-mail, forum, or other IM conversation.

If you are running Steam and using a vulnerable browser, you can protect yourself by going into the settings and disabling automatic launching of Steam:// URLs.

I don't actually see any option for that in Steam under OS X. It appears it'd be necessary to delete the entries and then prevent Steam from regenerating them. Ultimately a proper solution needs to come from Valve's side.

I believe the writer meant to go into your *browser* settings and disable automatic launching of "steam://" URLs.

My question is, could a web-page redirect or javascript also initiate this? I'm guessing so, and that's a little more troubling.

Yes, both of those could open a steam protocol link. However, to my knowledge all the browsers that warn you about about opening a foreign protocol will do so regardless of it being clicked, redirected, or executed within JS. Thus, only Safari and co. would be more vulnerable to a JS or redirect exploit.

I launch all my Steam games from within the Steam client, which I think is based on webkit. But by doing so, all the links I have should have been generated by the Steam service. So, is an attacker going to somehow feed me a malformed URL by intercepting my communication with Steam? Or does this vulnerability only affect those who use Steam via their webpage by using another browser other than the Steam client?

Although, this vulnerability may help explain what may be behind those dodgy "get free Steam games" types of websites.

Edit: Clarity

The vulnerability would come if an attacker got you to click on a Steam:// URL that they created specifically to get malicious code onto your system. Just clicking around official links in the Steam Web Store will not expose you to risk. Sorry if this was unclear.

Certainly. Thank you.

I've seen link-spam for shifty "get free Steam games" sites on Steam Greenlight, before (although not recently). I wasn't sure what the motivation for such sites could be except to spread malware. So now I am wondering if these exploits are already in the wild...?

The issue is, some browsers, like Firefox, give you an option to automatically process the handler from that moment on. So a Firefox where the user said "do this every time" is now processing Steam handlers automatically every time.

That makes sense. I guess what grabbed me is that I do all my business with Steam through the Steam client and nothing else, so seeing a Steam:// URL elsewhere would make me think, "WTF" and that automatically sets off a red flag in my mind to perhaps leave it all alone.

URLs do not necessarily need your interaction to be executed. It'd be the automatic background calling via a script that'd be the real concern. As Omoronovo said, good browsers will at least give some sort of warning. That definitely helps mitigate it for tech save users, although even that is suboptimal given social engineering. It may also adds to potential attack surface for other exploits that bypass warnings. URLs are not limited to web browsers.

Safari though will just leave you naked. On Windows presumably it's used by almost no one (hopefully no one), but it's probably pretty prevalent for OS X.

MasterInsan0 wrote:

I don't know if OS X supports that or not (I don't own a Mac)

Of course it does, it's the same system used to handle extensions, and yeah the Mac should be vulnerable for a properly crafted payload.

Guyde wrote:

xoa wrote:

Kyle Orland wrote:

If you are running Steam and using a vulnerable browser, you can protect yourself by going into the settings and disabling automatic launching of Steam:// URLs.

I don't actually see any option for that in Steam under OS X. It appears it'd be necessary to delete the entries and then prevent Steam from regenerating them. Ultimately a proper solution needs to come from Valve's side.

I believe the writer meant to go into your *browser* settings and disable automatic launching of "steam://" URLs.

He did not, or if he did he'd be wrong. That functionality is handled at the OS level via adding a CFBundleURLTypes entry to the application and registering an event handler, then getURL. The registered application will be called by default from anywhere. Don't have to be using a browser at all, if you click a link in your IRC client it'll still go right through.

The great thing about Steam is this will probably be patched for everyone in 3 days...

It's not that easy. This is really a family of exploits that rely on different bugs to attack different games and/or engines. Something like limited the length of the urls may help, but in the end steam:// urls allow an attacker to send arbitrary arguments to Steam games, all of which have the potential to be mishandled, allowing an exploit.

Individual games and engines must sanitize all of their inputs that are exposed through stream:// urls for the problem to truly be fixed. That is going to take a while.

Kyle Orland / Kyle is the Senior Gaming Editor at Ars Technica, specializing in video game hardware and software. He has journalism and computer science degrees from University of Maryland. He is based in the Washington, DC area.